On 22 August 2024, the Dutch Central Bank (De Nederlandsche Bank, DNB) published guidelines on the information register required under the EU’s Digital Operational Resilience Act (Regulation (EU) 2022/2554, DORA). According to DORA, financial entities must maintain a register of all contractual agreements with ICT third-party service providers. This register is essential for managing ICT third-party risks and will be used by Member State competent authorities and the European Supervisory Authorities (ESAs) to ensure compliance with DORA and to identify critical ICT third-party service providers subject to DORA’s oversight regime.
DNB emphasizes that financial entities must have their registers ready to report by early 2025 and so far the ESAs have provided a draft template (the draft template is available via this link). Although the exact reporting format is yet to be confirmed, DNB anticipates the xBRL-CSV standard with a table-oriented layout for the data (also called ‘plain CSV’) will be chosen for steady-state by 2025. To make the reporting process as effective and efficient as possible, DNB intends to follow the reporting standard that the ESAs will adopt.
To support those financial entities that are unable to implement the reporting standard on time, DNB intends to make available an alternative delivery method in 2025 in addition to the steady-state delivery method. Financial entities wishing to use this method will need to deliver the information register in a predetermined Excel template. DNB will then convert the Excel file to the reporting standard as drawn up by the ESAs. DNB expects the Excel file to be used for this purpose to publish later this year.
DNB intends to communicate final decisions on the reporting standard for the information register as soon as possible.
The DNB’s guidelines are available only in Dutch via this link.